8

First of all, I'd like to apologize beforehand if the questions I am about to ask are not really suitable for this site. I could not think of any other category to post under. Right, here goes.

We're building an offline assessment exam center as part of our internship. That's the company's lingo for a "test-taking application". Now we've been told to do some R&D as an addition to the coding, on the topic of candidate authentication in large exam centers. As per our project heads, the life-cycle of an assessment process involves the following four "touch-points" where candidate authentication is required -:

Touch-points of Assessment Life-cycle

  1. Online registration for the exam.
  2. Appearing for the exam.
  3. The interviewing process.
  4. Reporting to the job.

We've been told to focus on the "preventing impersonation" purpose of authentication (the other being verification of user eligibility, which is not part of the R&D topic).

In my country, during the online registration process the candidate is conventionally asked to quote a reference to the bank payment receipt which was deposited at the time of fee payment. They are also asked to upload a photograph. These details are then used to automatically generate an exam roll number, which is displayed on their admit card with their personal details and photograph. On exam-day, the candidate produces this admit card along with some form of government authorized ID proof, such as a driving license or passport. A signed counterfoil of the admit card is retained during the exam.

Now this process is seemingly foolproof, but it is not so in real-time. Impostors have been known to take exams at the behest of the applicant. We have been provided with some impersonation patterns or trends that have been noticed over the years in exam centers.

Impersonation Patterns

  1. Photograph Ambiguities: The candidate knowingly uploads a photograph of when they were younger. It does not completely match with the face of the applicant, and can be perceived as a photographic distortion of the impersonator's face. Casual verifications would miss the fraud.
  2. Signature Ambiguities: The candidate could provide a shorter version of their signature, which could easily be reproduced by the impersonator with some practice.
  3. Deeper Scrutiny of Photograph is Protested: Invigilators tend to ignore minor variations in the candidate's photograph partly due to the sheer number of applicants to be handled and partly to avoid protests from the candidate, which leads to a wastage of time. Other candidates could be part of the fraud, and support this protest. The invigilator tends to avoid conflict.

A few points to be noted -:

  • The demographics in such a recruitment exam is broad, with candidates of diverse gentility.
  • Invigilators are not trained in professional photograph and signature verification (not practical).
  • There is very little time available to verify all candidates with proper scrutiny.
  • Our company operates with external invigilators, and not all may be equally conscious or proficient.
  • Invigilators keep changing regularly.

Keeping these points in mind, we're looking for alternative mechanisms for authentication, which could exploit the latest digital technologies and adhere to these criteria-:

  • The solution should be logistically simple.
  • It should be accessible to the general masses.
  • It should have a very short transaction/verification time.
  • It should allow for easy data storage and retrieval.
  • It should be reliable.

We have already suggested biometric verification, retina scans, and the like to them. However these do not fit all the criteria at hand. What would you all suggest? Resources and citations would be very helpful too, if you suggest any technology that could be used.

PS: Not asking to be spoonfed. Just looking for ideas we can build on.

EDIT

I had a long chat with my project head/in-charge. We discussed the role of the invigilator thoroughly. We decided to take a different approach to the problem.

The role of the invigilator in verification is minimal. The candidate detail verification process, or impersonation detection, is done not by an invigilator or interviewer, but by a system at the end of a pair of touch-points. This eliminates or atleast reduces the impact of the time factor in authentication, and also significantly reduces the possibility that the invigilator may take part in the fraud.

Next, we thought of a two-factor authentication process at each touch-point. Let me explain accordingly.

Example Approach

  • Candidate Registers: The candidate may apply for registration online or at an authorized test center. The first factor of authentication will be a photograph submitted by them, not more than 3 months old, and a government authorized ID-proof. The second factor of authentication will be, for example, some form of biometrics - retina scans, voice recognition, fingerprinting. The first factor will be used in generating the admit card. The second factor will be stored in a database. I am taking speech or voice recognition along as an example, and leaving the rest to further imagination.

The candidate will be asked to utter some standard phrase in the language of their choice, and upload it along with the online form/provide it at the test center.

  • Candidate Appears for Exam: The candidate brings their first factor details along with their admit card for the exam. The invigilator performs a casual verification, as much scrutiny is possible by the naked eye, of the photograph the candidate submitted during registration. If there is a huge difference between the photograph and the person, the person is barred from taking the exam. If the difference is too small to perceive or there is not much time to scrutinize, the invigilator lets the candidate take the exam.

Once again, the second factor details are collected and stored by the invigilator. After the exam is done with, or at the end of this touch-point, the second factor details are compared. If the error rate is beyond the permissible limit (depending on the technology being used, its success rate, etc), the candidate is disqualified and their result is deemed null and void. If not, and their result is good enough, they go through to the next round.

  • Candidate is Interviewed: In a similar vein to the previous touch-point, the candidate's first factor details are checked by the interviewer and if there is a huge difference to the naked eye, the candidate may be barred from the interview. The second factor details are collected freshly at this touch-point. The reason for this is that bodily changes must be accounted for if techniques such as speech recognition are used. The interview is usually held at a later stage, so I think that a comparison of the first two and the last two touch-points, as separate pairs, is in order. If the candidate is selected, they get the job.

  • Candidate Reports for Duty: The two-factor authentication is done once again. The photograph and government authorized ID proof are checked (a new photograph may be taken during the interview stage for this purpose, as I am assuming that some time will have passed between the recruitment exam and the interview) together by whoever is in charge. If the candidate passes this stage of authentication, their biometrics are then checked.

Now what I need is ideas on the following -:

  • How, if possible, can this approach be improved?
  • What different technologies can be used as part of second factor verification? Please cite your resources. I'd love a justification if possible.
  • If there is a technology that radically solves this problem, do mention it.
PritishC
  • 183
  • 6
  • The conditions that you cite do not include the allowed error rates. This is essentially a QC mechanism design problem, and without a loss function and constraints on error rates you are unlikely to arrive at a solution reasonably close to the optimum. Please feel free to add the missing info to the question. – Deer Hunter Apr 25 '13 at 18:55
  • 1
    The weakest link is the invigilators. Once bribed, they can drive fraud rates to insane levels. – Deer Hunter Apr 25 '13 at 18:59
  • I agree that the invigilators are the weakest link, and I believe this is one of the reasons companies in my country are having a hard time with recruitment exams. Hence they want to devise a method which probably bypasses the threat that rogue invigilators pose altogether. This would mean they require a foolproof method in the first two touchpoints. Henderson's method is the easiest and was even put forward by one of my team members earlier, I found. However, this being R&D, we have to collect as many ideas as we can. – PritishC Apr 26 '13 at 04:06
  • I apologize but I'm not really familiar with the lingo in QC(quality control?) design. I'm just an intern still in college. We've studied QC but not in that depth. Also, due to the fact that the invigilators keep changing in a short time period, it is not practical to train them. The company wishes to automate or atleast make easier the impersonation prevention process. – PritishC Apr 26 '13 at 04:08

4 Answers4

5

Ultimately, authentication of this kind is very hard when the person being authenticated is the attacker. If there are reliable government records, requiring these be presented (if allowed) is probably a good start.

Proper training of security staff is also critical to ensure that they perform a thorough check regardless of the possibility of conflict. Staging such kinds of situations and letting them know that you will have people periodically testing the security may help.

Since in this case it sounds like you control both the testing and the use for the outcome of the testing, a simpler approach may also be to photograph the individuals that take the test. This gives you control over the quality of the photo and you can then only allow the person matching the photo to use the results of the test. It may not prevent the real John Cooper from sending a fake, but when the real John Cooper tries to get a job, he won't look like the fake John Cooper and won't be able to make use of the score.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • I understand what you say regarding proper training of staff, but according to the points to be noted section, the company doesn't wish to invest too much in invigilator training. Recruitment exams are conducted on a day-to-day basis during the placement season. Indeed, photographing the individuals who are to take the test seems like the easiest option to me. Thanks! More ideas are welcome. – PritishC Apr 25 '13 at 17:00
  • 1
    @UncleDolan - if the company doesn't want to invest in security, it gets what it pays for - **insecurity**. Purely technological solutions _can_ and **will** be subverted by social engineering. – Deer Hunter Apr 25 '13 at 18:50
  • I understand that, Deer Hunter, and also feel that companies are looking for a way to subvert social engineering with simple workarounds like the one Henderson has posted. More ideas are definitely welcome! – PritishC Apr 26 '13 at 04:10
  • @UncleDolan - although just to be clear, I agree with Deer Hunter that training and spot checks are still very important. For example, if the invigilators don't take proper photos, it may be inconclusive later on if the person is a match. You still get what you pay for even if you can find good ways to make it so you don't need to pay for quite as much. – AJ Henderson Apr 26 '13 at 12:20
  • @Henderson - Alas, that is the impractical part. As I've already mentioned earlier, training so many invigilators who are not bound to the company is not a practical solution at all. They want a method of authentication which is independent of the invigilator, or at best, minimally involves them. I am sure the invigilators are trained with the basics, but the company cannot waste too much time and money on them. – PritishC Apr 26 '13 at 14:29
5

AJ Henderson has the right solution IMHO. To expand on his approach here are the basics:

  • There has to be a security briefing for invigilators explaining the various ways that official government ID can be checked. They should be warned that your company will stage fake impersonations to test their attention.
  • Invigilators who would check IDs have to be provided cages/booths with enough lighting and decent seats, shielded from the candidates' wrath and arguments. They have to work in a low-stress environment with enough time to make decisions.
  • ID checking should be done for one person only at a time. All others must wait behind a line. Anybody arguing with an invigilator should be shot^H^H^H^H expelled without further ado. The invigilators' faces must be as mysteriously concentrated as possible to frighten the heck out of anybody trying to con you. Use armed guards if necessary.
  • To add some technology to the mix, install enough scanners and cameras to a) scan IDs and b) get the mugshots for further comparison during testing. Keep the database of known offenders.
  • Stick to the promise of staging fake impersonations. Make them convincing. Don't let the routine bog you down, there are always unemployed actors who'd like some chance income, make their circumstances and IDs vary.
  • Always have spare invigilators - if a fake impersonator is let through, you call off the silly chum who let the impersonator in and replace him tout de suite.

Lastly, forget about "multifactor authentication" and any technology buzzwords, use psychology to tighten your security.

Deer Hunter
  • 5,297
  • 5
  • 33
  • 50
  • P.S. Biometrics is a not-so-cheap and not-so-reliable not-a-solution. – Deer Hunter Apr 27 '13 at 17:45
  • 1
    Some of these are very good points, Deer Hunter, but I'm afraid you're missing the point of the question. While I will definitely forward these points to them in a separate mail as procedure to deal with the invigilators, my aim is to collect ideas on authentication mechanisms. We have to create a presentation on what we think will be good alternative mechanisms of authentication. Additionally there are a lot of complications regarding invigilators, fraudulent candidates and the law in my country. PS: If biometrics aren't cheap, do suggest some alternatives! – PritishC Apr 27 '13 at 17:46
  • Well, @UncleDolan, it is your research to conduct, I can only re-iterate that your task is futile: technology is not an end in itself. If you concentrate on technology, your big security picture goes out of the window. Must say I don't appreciate your attitude of nagging for clues. You get paid for this problem, I don't. While I value helping other people for the warm fuzzy feeling it brings, there are limits. **Sorry, I will not do your work for you.** – Deer Hunter Apr 27 '13 at 17:54
  • That's quite a wrong assumption, Deer Hunter. I don't get paid for this. And I apologize if I have hurt any sentiments. I completely understand your points regarding social engineering and the human element, but I don't know how else to phrase my question or where else to look. I thought I had given enough material to go on... – PritishC Apr 27 '13 at 18:39
5

Two factor authentication with Biometrics will definitely do the job but I would like to point out some issues with this technology.

  1. It is costly. This includes the cost of the devices and the manpower required to develop the system handle the registrations.
  2. There is no single standard to store the biometric data that the world follows. Different devices will capture and store the data in different ways. So basically once you finalize a standard you will have to test the devices that are compatible and give lesser false negatives (yes that is an issue).
  3. What if a candidate has a cut on his thumb. You can not deny him from appearing for the exam. In such cases you need to implement BFD- Best Finger Detection and things can become complex.
  4. The use of biometric technology slows down the candidate registration process
  5. Biometric devices fail to identify fake fingers and they can be tricked by smart people.

Suggestions:

The whole purpose of this discussion is to make sure that only the deserving candidates should get the job.I feel that rather than making the registration process so complicated we should concentrate more on the real examination scenario. Why not take a picture of the candidate right before he/she is going to appear for the exam. We can use this for verification at the time of personal interview.

If at all you are willing to go for biometrics I would again suggest to collect the data at the time of the real test and verify it when the candidate appears for the interview.Here, I am assuming that there is no big time gap between the test and the real interview.

And most importantly it is up to the invigilators to do a good job with whatever identity proofs they have.Having experienced professionals always helps.

Shurmajee
  • 7,285
  • 5
  • 27
  • 59
  • I wager fingerprinting and retina scanning would be costly. I don't think voice recognition would be that costly though. That leaves us with not so many options. I have already iterated that invigilators are trained with the basics, and that they change regularly. The approach that I posted in the question works independent of the invigilator. – PritishC Apr 27 '13 at 19:03
  • So you suggest collecting data at the 2nd and 3rd touch-point. Hmm...noted. – PritishC Apr 27 '13 at 19:08
  • Yes to make sure that the person who gave the test is the same person that you are hiring – Shurmajee Apr 27 '13 at 19:38
4

I must admit I find your question and the security measures you're describing rather disturbing, to say the least. Parts of it literally screamed welcome to Orwellian Dystropia directly into my inner ears. In stereo, no less - the previous, and the newly proposed version both at the same time, like some off-key punctus contra punctum.

The levels of identity scrutiny you're describing are exceptional, and while they provide for an effective security theater that might work in a way scare tactics don't, the fact that you're even asking this question here shows you yourself have doubts in its effectiveness. I believe you should. These procedures you're describing are only effective in being demeaning, costly to implement and run, nearly impossible to properly control their effectiveness once in place, and fail miserably at the only thing they were meant to prevent - exam fraud.

I'll touch the ways I'd go about solving your problems later, but first a few points on why I believe your system is set to fail:

  • Black sheep detection paradox: I borrowed the title from a Blacksheep: detecting compromised hosts in homogeneous crowds (PDF) paper that might not be directly relevant, but the paradigm it describes is. Your system demands a level of conformity that prevents variations. You could use these as a way of identifying individuals attending exams. Instead, you insist on policy that inhibits these naturally occurring variations among individuals. It's what we usually refer to as individuality.

  • Demeaning procedures, diminishing results: I'm not sure what levels of identity scrutiny people you're examining are used of, or prepared to go through to attend exams, but what you're describing doesn't read as you're after extraordinary individuals. In my experience, these tend to be highly sensitive to identity scrutiny, and might find the whole procedure demeaning and offensive. You are quite possibly removing from these procedure the very ones that wouldn't even need to resort to frauds you're trying to detect. What you're left with is a statistically more fraud inclined group that is more likely to team-up in ways you are not even equipped to detect.

  • Policing the police: Who controls invigilator? As you describe yourself, you've thought of this and are looking for ways to sidetrack their role in the identification process. What you're describing in the proposed changes is automation of this process as much as possible, which does seem an obvious choice. What I'm afraid is, that it might be either poorly implemented with too high false positive rate to be effective, too elaborate and complicated to use, or provide for new fraud vectors you haven't thought of. All of these can result in requiring even more stuff to run it than you started with, longer queues, and less reliable fraud control. A bit counterintuitive.

  • Queueueueueueueueue and system down: You'll be facing similar challenges supermarkets did, when they decided to install self checkouts. It takes time for people to adapt to a new concept and use it effectively. The way I read your proposal, most of these attendees will be first-timers, and already nervous because of the exams they're attending. Your expensive machines will thus still require personnel, to both help the pupils with the identification process, as well as make sure the system is running properly and not being tampered with in any way. It also begs the question, wouldn't this personnel do a better job on its own? And what happens when the system is down for whatever reason? Exams are canceled?

I could probably think of more possible problems with the proposed exam identification and fraud prevention system, but for the sake of argument, let's agree it's sufficiently described as ... not optimal. So what could you do to make it less prone to failure, cheaper, more reliable and effective?

Let's roll back to the reasons for such a system in the first place, as I think it's been lost in all the complicated notions on what constitutes a safe system that would cover your needs. What you are after is a way to make sure that the person later occupying a particular work position is indeed the person you certified to be suitable candidate to be there. Is that correct? OK, so let's now ask ourselves the other glaringly obvious question: What is the difference between a person that is suitable to occupy a certain work position, and the person that isn't? At the end of the day, it's this we're trying to prevent here, and I believe the answer is rather obvious - knowledge (or lack thereof) gained during the certification program, where examination for this certification is merely one way of determining it. This brings me to a few suggestions how to solve your problem:

  • Follow-up exams: These are actually quite common in some industries, including e.g. medical professions. What you let exam attendees be well aware of is their knowledge will not only be thoroughly tested at the exam they're currently attending, but may also be challenged at a later date and unannounced. Failure to produce a positive result at any later date could be an efficient deterrent for one of the exam fraud types you were describing - swapping places. You could cooperate with later employers to do such testing on their own, or you make it a standard part of your certification and something attendees need to agree with beforehand.

  • Application and interview video: You could require from all applicants to attach a personal video as a basic requirement to attend exams. You then playback the application video before the interview, and also video the interview phase itself. These both videos are attached to the certificate you provide to both the attendee, and upon request to future employer. Simple, cost effective, and no need for expensive and less than perfect biometric systems then. Us humans posses the most effective pattern recognition system - our brain. It also saves you the trouble of investing in biometric data readers that would otherwise be required.

  • Employment interview coaching: This is really a service that you, as a certification authority, provides to future employers. It's basically an on-the-spot confirmation of conformance of the candidate the employer is interviewing with your help. I wouldn't know how it's officially called, but I assume it's called different in various professions. Mentoring is used in a few, and I've also heard it called by other names. Doesn't really matter. The idea is, that you provide as a service to future employers guidance and on-the-spot coaching of the employment interview process. How that should be done, however entirely depends on the nature if the work position the interview is for.

I will probably add a few more suggestion at a later date, as I think of them. I should stress though, that I don't really believe technology can at this point in time provide better identification and fraud prevention that ourselves can as human beings. Most of the problems you'd be facing come from this very same fact, and automated systems tend not to adjust to situation on hand as well as we do. I would be looking down that venue more, if I was presented with same challenges as you are. ;)

TildalWave
  • 10,801
  • 11
  • 45
  • 84
  • 1
    The points you have given against my proposal are quite damning. It seems that I cannot further ignore the weaknesses of an automated system and its implementation thereof. For the sake of R&D, I'll keep thinking of authentication mechanisms to provide to the company but I am going to add these points to the mail trail. – PritishC Apr 28 '13 at 05:00
  • Mayank and Deer Hunter have already pointed out that biometrics will not be cheap. I suggested speech recognition, and you have also made a simple suggestion in video recording - if not directly available to the masses, it can definitely be provided at an authorized test center or during college placement. – PritishC Apr 28 '13 at 05:00
  • 1
    @UncleDolan - I think that simplicity and availability are your friends here. Inventing a new system means you'll be dealing with a lot of unknowns for being an early adopter, on top of other obvious problems (cost factor, time-to-delivery,...). If you could pair your system's requirements with already existing technologies and abilities of the faculty to adopt to these (I imagine) new requirements, that would be IMHO optimal. One thing we should never neglect when we're talking of systems is what the word _system_ actually denotes. This exam fraud prevention isn't an isolated process. ;) – TildalWave Apr 28 '13 at 05:10
  • @TidalWave - Noted. Also, I've read 1984. I don't think my security measures are as bad or as intrusive as you describe (apart from candidate nervousness), but yes, it has its weaknesses :P – PritishC Apr 28 '13 at 08:17
  • 1
    @UncleDolan - Oh I was actually quite certain that you read it, that's why I used this admittedly a bit over the top analogy. I didn't mean any disrespect, mock your understanding or vision. On the contrary, I think your question and research clearly show a lot of effort, passion even to solve this more elegantly. I was just concerned you've been overthinking it and successfully removed all individuality off a procedure that's supposed to detect it, and is part of an educational system that should maybe rather encourage it. I believe there ought to be ways to make it work for you instead. – TildalWave Apr 28 '13 at 12:50